Questions about authentication and reverse proxy setup
85 views
Skip to first unread message
tec...@gmail.com
Feb 10, 2016, 9:55:01 PM2/10/16
to membrane-monitor
Hi
I have the following requirement. Please advise on how to set up the proxies.xml properly.
localhost/... user authentication is required from root level down (basically user needs to be authenticated to access the whole website)
localhost/subsys1/... all requests under this url should go to host1:8081
localhost/subsys2/... all requests under this url should go to host2:8082
I tried to set up the proxies.xml this way, but it doesn't seem to work.
<router>
<serviceProxy port="80">
<path>/</path>
<basicAuthentication>
<user name="guest" password="guest"/>
</basicAuthentication>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys1</path>
<target host="host1" port="8081"/>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys2</path>
<target host="host2" port="8082"/>
</serviceProxy>
</router>
Thanks,
Denny
Denny
Tobias Polley
Mar 3, 2016, 4:44:53 AM3/3/16
to membrane-monitor, tec...@gmail.com
Hi Denny,
per incoming request, exactly one <serviceProxy> is chosen to handle the request. This means that there is no "inheritance" of the authentication, as your sample config and question might suggest.
The solution is to either declare the <basicAuthentication> in each <serviceProxy>, or declare it once and reference it:
per incoming request, exactly one <serviceProxy> is chosen to handle the request. This means that there is no "inheritance" of the authentication, as your sample config and question might suggest.
The solution is to either declare the <basicAuthentication> in each <serviceProxy>, or declare it once and reference it:
<basicAuthentication id="myBasicAuth">
<user name="guest" password="guest"/>
</basicAuthentication>
<router>
<serviceProxy port="80">
<path>/</path>
<spring:ref bean="myBasicAuth" />
</serviceProxy>
<serviceProxy port="80">
<path>/subsys1</path>
<spring:ref bean="myBasicAuth" />
<target host="host1" port="8081"/>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys2</path>
<spring:ref bean="myBasicAuth" />
<target host="host2" port="8082"/>
</serviceProxy>
</router>
(This is pure Spring functionality and has almost nothing to do specifically with Membrane.)
Best
Tobias
tec...@gmail.com
Mar 9, 2016, 5:23:33 PM3/9/16
to membrane-monitor, tec...@gmail.com
Thanks,
After the user is authenticated, I don't see http header returned with authenticated info (JSESSIONID, user, etc). How should the client (browser) get the authenticated user name? How can I pass the authenticated session to other subsystems (e.g. /subsys1)? So they know who the authenticated user is.
tec...@gmail.com
Mar 11, 2016, 10:26:14 AM3/11/16
to membrane-monitor
If I want to use the <login> in place of the <basicAuthentication>, how do I specify that in proxies.xml?
The login seems to offer more controls like sessionManager and accountBlocker where basicAuthentication seems lacking. Also it allows me to customize my login page.
I am not sure what path in the login I should specify. I want to redirect user to the login page if a session hasn't been established regardless what endpoints he points to. For example, if user points to localhost/subsystem1 but he hasn't logged in yet, I want him to be redirected to the login page first. Also, I want a "headerX-Backend-User-ID" header with the authenticated username to be forwarded to subsystems, so the subsystems know a session has already been established, how should I specify it?
<login path="/" location="./dialog">
<staticUserDataProvider>
<user username="guest" password="guest" secret="abcdefghijklmnop" headerX-Backend-User-ID />
</staticUserDataProvider>
<sessionManager
cookieName="SESSIONID"
timeout="300000" />
<accountBlocker
afterFailedLogins="5"
afterFailedLoginsWithin="9223372036854775807"
blockFor="3600000"
blockWholeSystemAfter="1000000" />
<emptyTokenProvider />
</login>
I tried to disable the token feature with the <emptyTokenProvider>, but it doesn't seem to work. I still got the page that asks for token verification. How can I disable token?
Thanks,
Denny
The login seems to offer more controls like sessionManager and accountBlocker where basicAuthentication seems lacking. Also it allows me to customize my login page.
I am not sure what path in the login I should specify. I want to redirect user to the login page if a session hasn't been established regardless what endpoints he points to. For example, if user points to localhost/subsystem1 but he hasn't logged in yet, I want him to be redirected to the login page first. Also, I want a "headerX-Backend-User-ID" header with the authenticated username to be forwarded to subsystems, so the subsystems know a session has already been established, how should I specify it?
<login path="/" location="./dialog">
<staticUserDataProvider>
<user username="guest" password="guest" secret="abcdefghijklmnop" headerX-Backend-User-ID />
</staticUserDataProvider>
<sessionManager
cookieName="SESSIONID"
timeout="300000" />
<accountBlocker
afterFailedLogins="5"
afterFailedLoginsWithin="9223372036854775807"
blockFor="3600000"
blockWholeSystemAfter="1000000" />
<emptyTokenProvider />
</login>
I tried to disable the token feature with the <emptyTokenProvider>, but it doesn't seem to work. I still got the page that asks for token verification. How can I disable token?
Thanks,
Denny
Reply all
Reply to author
Forward
0 new messages